[Snort-users] Snort not logging all alerts in pcap (was Oddness with 16295)

James Lay jlay at ...13475...
Mon Nov 15 14:01:57 EST 2010


Hrmm.  Well, this is snort 2.9.0.1.  I've recompiled it without gre and
performance stats so we'll see what happens.

James

On 11/13/10 5:25 AM, "rmkml" <rmkml at ...1855...> wrote:

>Hi James,
>It's perfect, what's pb?
>If I remember correctly, snort write only one packet on pcap file for one
>alert... (not stream reassembly)
>What snort version you use?
>Maybe snort "drop" packet? read your log for stat packets or send 'kill
>-USR1 snort_pid'...
>Regards
>Rmkml
>
>
>On Thu, 11 Nov 2010, Lay, James wrote:
>
>> 
>> OK so now I¹m sure there¹s an issue.  Below are more
>>examplesŠeverything is fine until alert timestamps 11/11-10:38:38.577756
>>and 11/11-10:38:38.818757Šthey are
>> simply not there in the corresponding pcap file.  My settings are as
>>follows:
>> 
>>  
>> 
>> output alert_fast: internetalert.fast
>> 
>> output log_tcpdump: internettcpdump.pcap
>> 
>>  
>> 
>> Any reason some packets aren¹t getting logged in the pcap file?  Any
>>pointers would be excellent.
>> 
>>  
>> 
>> James 
>> 
>>  
>> 
>> [10:45:48 jlay at ...15049...:~/log$] sudo tail -n 20 internetalert.fast
>> 
>> 11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit
>>Framework Update [**] [Classification: Misc activity] [Priority: 3]
>>{TCP} 216.75.1.230:443 ->
>> 10.21.0.9:53302
>> 
>> 11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable
>>binary file transfer [**] [Classification: Misc activity] [Priority: 3]
>>{TCP}
>> 68.142.93.133:80 -> 10.21.0.16:62912
>> 
>> 11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian
>>Business Network IP TCP (257) [**] [Classification: Misc Attack]
>>[Priority: 2] {TCP}
>> 10.21.0.16:62962 -> 85.17.84.214:80
>> 
>> 11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
>>CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80
>> 
>> 11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388
>> 
>> 11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427
>> 
>> 11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450
>> 
>> 11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
>>CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80
>> 
>> 11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404
>> 
>> 11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432
>> 
>> 11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian
>>Business Network IP TCP (257) [**] [Classification: Misc Attack]
>>[Priority: 2] {TCP}
>> 10.21.0.16:64881 -> 85.17.84.212:80
>> 
>> 11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
>>Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
>>[Classification:
>> Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 ->
>>10.21.0.16:64991
>> 
>> 11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
>>Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
>>[Classification:
>> Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 ->
>>10.21.0.16:64835
>> 
>> 11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat
>>(settings) [**] [Classification: Potential Corporate Privacy Violation]
>>[Priority: 1] {TCP}
>> 10.21.0.16:65098 -> 66.220.146.32:80
>> 
>> 11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181
>> 
>> 11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable
>>binary file transfer [**] [Classification: Misc activity] [Priority: 3]
>>{TCP}
>> 207.171.185.196:80 -> 10.21.0.16:1281
>> 
>> 11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**]
>>[Classification: Executable Code was Detected] [Priority: 1] {TCP}
>>207.171.185.196:80 ->
>> 10.21.0.16:1493
>> 
>> 11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile
>>invalid header size integer overflow [**] [Classification: Attempted
>>Administrator Privilege
>> Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491
>> 
>> 11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated
>>javascript excessive fromCharCode - potential attack [**]
>>[Classification: Misc activity]
>> [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634
>> 
>>  
>> 
>> From pcap file:
>> 
>> 10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack
>>1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329],
>>length 1388
>> 
>> 10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack
>>3472428307, win 65535, length 1400
>> 
>> 10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq
>>3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0
>> 
>> 10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack
>>1095737173, win 65535, length 20
>> 
>> 10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack
>>2060485191, win 7504, length 1400
>> 
>> 10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack
>>1404174044, win 7066, length 1400
>> 
>> 10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.],
>>ack 2592865250, win 1023, length 1380
>> 
>> 10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.],
>>ack 87661050, win 65535, length 12
>> 
>> 10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack
>>706084536, win 7504, length 1400
>> 
>> 10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack
>>3592031382, win 7066, length 1400
>> 
>> 10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq
>>2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0
>> 
>> 10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack
>>2665905014, win 13936, length 1400
>> 
>> 10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack
>>237172578, win 65535, length 1380
>> 
>> 10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack
>>1349174870, win 49664, length 1380
>> 
>> 10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack
>>1907873745, win 13425, length 1400
>> 
>> 10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack
>>1374951746, win 7504, length 1400
>> 
>>  
>> 
>>  
>> 
>> From: Lay, James [mailto:james.lay at ...15009...]
>> Sent: Thursday, November 11, 2010 10:43 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Oddness with 16295
>> 
>>  
>> 
>> BumpŠno takers on this?
>> 
>>  
>> 
>> From: Lay, James [mailto:james.lay at ...15009...]
>> Sent: Wednesday, November 10, 2010 10:52 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: Oddness with 16295
>> 
>>  
>> 
>> So this is weirdŠ.looking at this hit:
>> 
>>  
>> 
>> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
>>library heap buffer overflow - without optional fields [**]
>>[Classification: Attempted
>> User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
>>10.21.0.16:64385
>> 
>>  
>> 
>> Fairly certain it¹s an fp, butŠwhen I hit the pcap dump file, it
>>doesn¹t showŠ.here¹s consecutive hits in the alert file:
>> 
>>  
>> 
>> 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
>>memory corruption [**] [Classification: Attempted User Privilege Gain]
>>[Priority: 1] {TCP}
>> 67.23.129.249:80 -> 10.21.0.16:64185
>> 
>> 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
>>memory corruption [**] [Classification: Attempted User Privilege Gain]
>>[Priority: 1] {TCP}
>> 67.23.129.249:80 -> 10.21.0.16:64185
>> 
>> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
>>library heap buffer overflow - without optional fields [**]
>>[Classification: Attempted
>> User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
>>10.21.0.16:64385
>> 
>> 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
>>CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
>> 
>>  
>> 
>> And from the pcapfile:
>> 
>> sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
>> 
>> 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
>>1081895485, win 4789, length 1400
>> 
>> 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
>>1, win 4789, length 1400
>> 
>> 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
>>2261207081, win 65535, length 536
>> 
>>  
>> 
>> So where did 16295 go?  A quick check for that IP gives nothing:
>> 
>> [10:48:24 jlay at ...15049...:~/log$] sudo tcpdump -n -s 1524 -r
>>internettcpdump.pcap.1289401395 ip and host 204.11.109.23
>> 
>> reading from file internettcpdump.pcap.1289401395, link-type EN10MB
>>(Ethernet)
>> 
>> [10:50:21 jlay at ...15049...:~/log$]
>> 
>>  
>> 
>> James Lay
>> 
>> IT Security Analyst
>> 
>> WinCo Foods
>> 
>> 208-672-2014 Office
>> 
>> 208-559-1855 Cell
>> 
>> 650 N Armstrong Pl.
>> 
>> Boise, Idaho 83704
>> 
>>  
>> 
>> 
>>-------------------------------------------------------------------------
>>-----
>Centralized Desktop Delivery: Dell and VMware Reference Architecture
>Simplifying enterprise desktop deployment and management using
>Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
>client virtualization framework. Read more!
>http://p.sf.net/sfu/dell-eql-dev2dev______________________________________
>_________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list